fix(rdb): maintain ACL during RDB instance engine upgrade (#3832)

* Maintain ACL during RDB instance engine upgrade (fix #3627)

* fix(rdb): document and warn about ACL reconciliation after blue-green engine upgrades.

* fix(rdb): format ACL upgrade helpers and compress the engine upgrade ACL cassette.

Author: jremy42

docs/resources/rdb_instance.md

@@ -219,6 +219,8 @@ interruption.
 
 ~> **Important** Updates to `engine` will perform a blue/green upgrade using `MajorUpgradeWorkflow`. This creates a new instance from a snapshot, migrates endpoints automatically, and updates the Terraform state with the new instance ID. The upgrade ensures minimal downtime but **any writes between the snapshot and the endpoint migration will be lost**. Use the `upgradable_versions` computed attribute to check available versions for upgrade.
 
+~> **Note** The provider copies instance-level data managed outside `scaleway_rdb_instance`, such as ACL rules, to the upgraded instance during the engine upgrade. However, Terraform plans dependent resources before the blue/green upgrade returns the new instance ID. As a result, resources that reference the previous instance ID, such as `scaleway_rdb_acl`, may require a second `terraform apply` to fully reconcile their Terraform state with the upgraded instance.
+
 - `volume_type` - (Optional, default to `lssd`) Type of volume where data are stored (`lssd`, `sbs_5k` or `sbs_15k`).
 
 - `volume_size_in_gb` - (Optional) Volume size (in GB). Cannot be used when `volume_type` is set to `lssd`.

internal/services/rdb/acl.go

@@ -356,6 +356,49 @@ func mergeDiffToSchema(rulesFromSchema map[string]struct{}, ruleMap map[string]*
 	return res
 }
 
+func maintainACLDuringUpgrade(ctx context.Context, api *rdb.API, region scw.Region, oldInstanceID, newInstanceID string) error {
+	res, err := api.ListInstanceACLRules(&rdb.ListInstanceACLRulesRequest{
+		Region:     region,
+		InstanceID: locality.ExpandID(oldInstanceID),
+	}, scw.WithAllPages(), scw.WithContext(ctx))
+	if err != nil {
+		if httperrors.Is404(err) {
+			return nil
+		}
+
+		return err
+	}
+
+	if len(res.Rules) == 0 {
+		return nil
+	}
+
+	rules := rdbACLRulesToRequests(res.Rules)
+	_, err = api.SetInstanceACLRules(&rdb.SetInstanceACLRulesRequest{
+		Region:     region,
+		InstanceID: locality.ExpandID(newInstanceID),
+		Rules:      rules,
+	}, scw.WithContext(ctx))
+
+	return err
+}
+
+func rdbACLRulesToRequests(rules []*rdb.ACLRule) []*rdb.ACLRuleRequest {
+	if len(rules) == 0 {
+		return nil
+	}
+
+	reqs := make([]*rdb.ACLRuleRequest, len(rules))
+	for i, r := range rules {
+		reqs[i] = &rdb.ACLRuleRequest{
+			IP:          r.IP,
+			Description: r.Description,
+		}
+	}
+
+	return reqs
+}
+
 func rdbACLRulesFlatten(rules []*rdb.ACLRule) []map[string]any {
 	res := make([]map[string]any, 0, len(rules))
 

internal/services/rdb/instance.go

@@ -1097,6 +1097,12 @@ func ResourceRdbInstanceUpdate(ctx context.Context, d *schema.ResourceData, m an
 				}
 			}
 
+			if err := maintainACLDuringUpgrade(ctx, rdbAPI, region, oldInstanceID, ID); err != nil {
+				tflog.Warn(ctx, fmt.Sprintf("Failed to maintain ACL during upgrade: %v", err))
+			} else {
+				tflog.Warn(ctx, "ACL rules were copied to the upgraded instance. Because the instance ID changed during the blue/green upgrade, dependent resources such as scaleway_rdb_acl may require a second terraform apply to reconcile their state.")
+			}
+
 			_, err = waitForRDBInstance(ctx, rdbAPI, region, oldInstanceID, d.Timeout(schema.TimeoutUpdate))
 			if err != nil && !httperrors.Is404(err) {
 				tflog.Warn(ctx, fmt.Sprintf("Old instance %s not ready for deletion: %v", oldInstanceID, err))

internal/services/rdb/instance_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	rdbSDK "github.com/scaleway/scaleway-sdk-go/api/rdb/v1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/acctest"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/rdb"
@@ -1860,6 +1861,167 @@ func TestAccInstance_EngineUpgradeKeepsHA(t *testing.T) {
 	})
 }
 
+func TestAccInstance_EngineUpgrade_WithACL(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	oldVersion, newVersion := rdbchecks.GetEngineVersionsForUpgrade(tt, postgreSQLEngineName)
+	if oldVersion == newVersion {
+		t.Skip("Need at least 2 different PostgreSQL versions for upgrade testing")
+	}
+
+	aclRule1 := "1.2.3.4/32"
+	aclRule2 := "9.0.0.0/16"
+
+	var oldInstanceID string
+
+	configForVersion := func(version string) string {
+		return fmt.Sprintf(`
+			resource "scaleway_rdb_instance" "main" {
+				name               = "test-rdb-engine-upgrade-acl"
+				node_type          = "db-dev-s"
+				engine             = %q
+				is_ha_cluster      = false
+				disable_backup     = true
+				user_name          = "test_user"
+				password           = "thiZ_is_v&ry_s3cret"
+				tags               = ["terraform-test", "engine-upgrade-acl"]
+				volume_type        = "sbs_5k"
+				volume_size_in_gb  = 10
+			}
+
+			resource "scaleway_rdb_acl" "main" {
+				instance_id = scaleway_rdb_instance.main.id
+				acl_rules {
+					ip          = %q
+					description = "rule1"
+				}
+				acl_rules {
+					ip          = %q
+					description = "rule2"
+				}
+			}
+		`, version, aclRule1, aclRule2)
+	}
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProtoV6ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:             rdbchecks.IsInstanceDestroyed(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: configForVersion(oldVersion),
+				Check: resource.ComposeTestCheckFunc(
+					isInstancePresent(tt, "scaleway_rdb_instance.main"),
+					resource.TestCheckResourceAttr("scaleway_rdb_instance.main", "engine", oldVersion),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.0.ip", aclRule1),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.1.ip", aclRule2),
+					func(s *terraform.State) error {
+						rs, ok := s.RootModule().Resources["scaleway_rdb_instance.main"]
+						if !ok {
+							return errors.New("resource not found: scaleway_rdb_instance.main")
+						}
+
+						_, _, instanceID, err := rdb.NewAPIWithRegionAndID(tt.Meta, rs.Primary.ID)
+						if err != nil {
+							return err
+						}
+
+						oldInstanceID = instanceID
+
+						return nil
+					},
+				),
+			},
+			{
+				Config:             configForVersion(newVersion),
+				ExpectNonEmptyPlan: true,
+				Check: resource.ComposeTestCheckFunc(
+					isInstancePresent(tt, "scaleway_rdb_instance.main"),
+					resource.TestCheckResourceAttr("scaleway_rdb_instance.main", "engine", newVersion),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.0.ip", aclRule1),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.1.ip", aclRule2),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.0.description", "rule1"),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.1.description", "rule2"),
+					checkInstanceACLRules(tt, "scaleway_rdb_instance.main", []string{aclRule1, aclRule2}),
+				),
+			},
+			{
+				Config: configForVersion(newVersion),
+				Check: resource.ComposeTestCheckFunc(
+					isInstancePresent(tt, "scaleway_rdb_instance.main"),
+					resource.TestCheckResourceAttr("scaleway_rdb_instance.main", "engine", newVersion),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.0.ip", aclRule1),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.1.ip", aclRule2),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.0.description", "rule1"),
+					resource.TestCheckResourceAttr("scaleway_rdb_acl.main", "acl_rules.1.description", "rule2"),
+					checkInstanceACLRules(tt, "scaleway_rdb_instance.main", []string{aclRule1, aclRule2}),
+					func(s *terraform.State) error {
+						instanceRS, ok := s.RootModule().Resources["scaleway_rdb_instance.main"]
+						if !ok {
+							return errors.New("resource not found: scaleway_rdb_instance.main")
+						}
+
+						aclRS, ok := s.RootModule().Resources["scaleway_rdb_acl.main"]
+						if !ok {
+							return errors.New("resource not found: scaleway_rdb_acl.main")
+						}
+
+						_, _, newInstanceID, err := rdb.NewAPIWithRegionAndID(tt.Meta, instanceRS.Primary.ID)
+						if err != nil {
+							return err
+						}
+
+						if newInstanceID == oldInstanceID {
+							return fmt.Errorf("expected new instance ID after upgrade, but got same ID: %s", newInstanceID)
+						}
+
+						if aclRS.Primary.ID != instanceRS.Primary.ID {
+							return fmt.Errorf("expected ACL resource to track upgraded instance ID %s after second apply, got %s", instanceRS.Primary.ID, aclRS.Primary.ID)
+						}
+
+						return nil
+					},
+				),
+			},
+		},
+	})
+}
+
+func checkInstanceACLRules(tt *acctest.TestTools, instanceResource string, expectedIPs []string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[instanceResource]
+		if !ok {
+			return fmt.Errorf("resource not found: %s", instanceResource)
+		}
+
+		rdbAPI, region, instanceID, err := rdb.NewAPIWithRegionAndID(tt.Meta, rs.Primary.ID)
+		if err != nil {
+			return err
+		}
+
+		res, err := rdbAPI.ListInstanceACLRules(&rdbSDK.ListInstanceACLRulesRequest{
+			Region:     region,
+			InstanceID: instanceID,
+		}, scw.WithAllPages())
+		if err != nil {
+			return fmt.Errorf("listing ACL rules: %w", err)
+		}
+
+		actualIPs := make(map[string]bool)
+		for _, r := range res.Rules {
+			actualIPs[r.IP.String()] = true
+		}
+
+		for _, expected := range expectedIPs {
+			if !actualIPs[expected] {
+				return fmt.Errorf("expected ACL rule %q not found on instance, got: %v", expected, actualIPs)
+			}
+		}
+
+		return nil
+	}
+}
+
 func isInstancePresent(tt *acctest.TestTools, n string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]

internal/services/rdb/testdata/instance-engine-upgrade-with-acl.cassette.yaml

@@ -40,6 +40,8 @@ interruption.
 
 ~> **Important** Updates to `engine` will perform a blue/green upgrade using `MajorUpgradeWorkflow`. This creates a new instance from a snapshot, migrates endpoints automatically, and updates the Terraform state with the new instance ID. The upgrade ensures minimal downtime but **any writes between the snapshot and the endpoint migration will be lost**. Use the `upgradable_versions` computed attribute to check available versions for upgrade.
 
+~> **Note** The provider copies instance-level data managed outside `scaleway_rdb_instance`, such as ACL rules, to the upgraded instance during the engine upgrade. However, Terraform plans dependent resources before the blue/green upgrade returns the new instance ID. As a result, resources that reference the previous instance ID, such as `scaleway_rdb_acl`, may require a second `terraform apply` to fully reconcile their Terraform state with the upgraded instance.
+
 - `volume_type` - (Optional, default to `lssd`) Type of volume where data are stored (`lssd`, `sbs_5k` or `sbs_15k`).
 
 - `volume_size_in_gb` - (Optional) Volume size (in GB). Cannot be used when `volume_type` is set to `lssd`.